Установка Greenbone Vulnerability Management (GVM) 22.4.1 на Debian 11 Bullseye
Все действия ниже будут выполняться от root.
# Устанавливаем необходимые пакеты зависимостей.
apt-get install build-essential curl cmake pkg-config gcc-mingw-w64 gnupg gnutls-bin libglib2.0-dev libgpgme-dev libgnutls28-dev libcurl4-gnutls-dev uuid-dev libssh-gcrypt-dev libhiredis-dev libxml2-dev libpcap-dev libnet1-dev libldap2-dev libradcli-dev libpq-dev libical-dev xsltproc rsync libbsd-dev texlive-latex-extra texlive-fonts-recommended xmlstarlet zip rpm fakeroot nsis gpgsm wget sshpass openssh-client socat bison snmp libsnmp-dev nmap smbclient xmltoman doxygen graphviz xml-twig-tools libmicrohttpd-dev libpopt-dev libunistring-dev heimdal-dev perl-base libgcrypt20-dev libksba-dev libjson-glib-dev libpaho-mqtt-dev mosquitto pandoc git python3 python3-pip python3-setuptools python3-packaging python3-wrapt python3-cffi python3-psutil python3-lxml python3-defusedxml python3-paramiko python3-redis python3-gnupg python3-paho-mqtt python3-venv python3-impacket postgresql postgresql-contrib postgresql-server-dev-13 -y
# Установка NodeJS v14.x
export NODE_VERSION=node_14.x export KEYRING=/usr/share/keyrings/nodesource.gpg export DISTRIBUTION="$(lsb_release -s -c)" curl -fsSL https://deb.nodesource.com/gpgkey/nodesource.gpg.key | gpg --dearmor | sudo tee "$KEYRING" >/dev/null gpg --no-default-keyring --keyring "$KEYRING" --list-keys echo "deb [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | sudo tee /etc/apt/sources.list.d/nodesource.list echo "deb-src [signed-by=$KEYRING] https://deb.nodesource.com/$NODE_VERSION $DISTRIBUTION main" | sudo tee -a /etc/apt/sources.list.d/nodesource.list apt-get update apt-get install -y nodejs
# Установка yarn
curl -sS https://dl.yarnpkg.com/debian/pubkey.gpg | apt-key add echo deb https://dl.yarnpkg.com/debian/ stable main | tee /etc/apt/sources.list.d/yarn.list apt-get update apt-get install yarn -y
# Создаем пользователя GVM от которого будет работать система.
useradd -r -M -U -s /usr/sbin/nologin -c "GVM User" gvm
# Скачиваем последние версии исходников пакетов входящих в состав системы GVM 22.4 и распаковываем их.
mkdir -p /opt/gvm-source cd /opt/gvm-source/ export GVM_LIBS_VERSION=$(curl -s https://api.github.com/repos/greenbone/gvm-libs/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export GVMD_VERSION=$(curl -s https://api.github.com/repos/greenbone/gvmd/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export PG_GVM_VERSION=$(curl -s https://api.github.com/repos/greenbone/pg-gvm/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export GSA_VERSION=$(curl -s https://api.github.com/repos/greenbone/gsa/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export GSAD_VERSION=$(curl -s https://api.github.com/repos/greenbone/gsad/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export OPENVAS_SMB_VERSION=$(curl -s https://api.github.com/repos/greenbone/openvas-smb/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export OPENVAS_SCANNER_VERSION=$(curl -s https://api.github.com/repos/greenbone/openvas-scanner/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export OSPD_OPENVAS_VERSION=$(curl -s https://api.github.com/repos/greenbone/ospd-openvas/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') export NOTUS_VERSION=$(curl -s https://api.github.com/repos/greenbone/notus-scanner/releases/latest | grep -Po '"tag_name":.*?[^\\]",' | awk '{print $2}' | sed 's/^..\(.*\)..$/\1/') echo $GVM_LIBS_VERSION echo $GVMD_VERSION echo $PG_GVM_VERSION echo $GSA_VERSION echo $GSAD_VERSION echo $OPENVAS_SMB_VERSION echo $OPENVAS_SCANNER_VERSION echo $OSPD_OPENVAS_VERSION echo $NOTUS_VERSION curl -f -L https://github.com/greenbone/gvm-libs/archive/refs/tags/v$GVM_LIBS_VERSION.tar.gz -o gvm-libs-$GVM_LIBS_VERSION.tar.gz curl -f -L https://github.com/greenbone/gvmd/archive/refs/tags/v$GVMD_VERSION.tar.gz -o gvmd-$GVMD_VERSION.tar.gz curl -f -L https://github.com/greenbone/pg-gvm/archive/refs/tags/v$PG_GVM_VERSION.tar.gz -o pg-gvm-$PG_GVM_VERSION.tar.gz curl -f -L https://github.com/greenbone/gsa/archive/refs/tags/v$GSA_VERSION.tar.gz -o gsa-$GSA_VERSION.tar.gz curl -f -L https://github.com/greenbone/gsad/archive/refs/tags/v$GSAD_VERSION.tar.gz -o gsad-$GSAD_VERSION.tar.gz curl -f -L https://github.com/greenbone/openvas-smb/archive/refs/tags/v$OPENVAS_SMB_VERSION.tar.gz -o openvas-smb-$OPENVAS_SMB_VERSION.tar.gz curl -f -L https://github.com/greenbone/openvas-scanner/archive/refs/tags/v$OPENVAS_SCANNER_VERSION.tar.gz -o openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz curl -f -L https://github.com/greenbone/ospd-openvas/archive/refs/tags/v$OSPD_OPENVAS_VERSION.tar.gz -o ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz curl -f -L https://github.com/greenbone/notus-scanner/archive/refs/tags/v$NOTUS_VERSION.tar.gz -o notus-scanner-$NOTUS_VERSION.tar.gz tar -xvzf gvm-libs-$GVM_LIBS_VERSION.tar.gz && mv gvm-libs-$GVM_LIBS_VERSION gvm-libs tar -xvzf gvmd-$GVMD_VERSION.tar.gz && mv gvmd-$GVMD_VERSION gvmd tar -xvzf pg-gvm-$PG_GVM_VERSION.tar.gz && mv pg-gvm-$PG_GVM_VERSION pg-gvm tar -xvzf gsa-$GSA_VERSION.tar.gz && mv gsa-$GSA_VERSION gsa tar -xvzf gsad-$GSAD_VERSION.tar.gz && mv gsad-$GSAD_VERSION gsad tar -xvzf openvas-smb-$OPENVAS_SMB_VERSION.tar.gz && mv openvas-smb-$OPENVAS_SMB_VERSION openvas-smb tar -xvzf openvas-scanner-$OPENVAS_SCANNER_VERSION.tar.gz && mv openvas-scanner-$OPENVAS_SCANNER_VERSION openvas-scanner tar -xvzf ospd-openvas-$OSPD_OPENVAS_VERSION.tar.gz && mv ospd-openvas-$OSPD_OPENVAS_VERSION ospd-openvas tar -xvzf notus-scanner-$NOTUS_VERSION.tar.gz && mv notus-scanner-$NOTUS_VERSION notus-scanner
# Собираем и устанавливаем пакет — gvm-libs (GVM Libraries)
cd gvm-libs mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release -DSYSCONFDIR=/etc -DLOCALSTATEDIR=/var make make install cd ../..
# Собираем и устанавливаем пакет — gvmd (Greenbone Vulnerability Manager)
cd gvmd mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release -DLOCALSTATEDIR=/var -DSYSCONFDIR=/etc -DGVM_DATA_DIR=/var -DGVMD_RUN_DIR=/run/gvmd -DOPENVAS_DEFAULT_SOCKET=/run/ospd/ospd-openvas.sock -DGVM_FEED_LOCK_PATH=/var/lib/gvm/feed-update.lock -DSYSTEMD_SERVICE_DIR=/lib/systemd/system -DDEFAULT_CONFIG_DIR=/etc/default -DLOGROTATE_DIR=/etc/logrotate.d make make install cd ../..
# Собираем и устанавливаем пакет — pg-gvm
cd pg-gvm mkdir build && cd build cmake .. -DCMAKE_BUILD_TYPE=Release make make install cd ../..
# Собираем и устанавливаем пакет — gsa (Greenbone Secuirty Assistant)
cd gsa rm -rf build yarn yarn build mkdir -p /usr/local/share/gvm/gsad/web cp -rv build/* /usr/local/share/gvm/gsad/web cd ..
# Собираем и устанавливаем пакет — gsad (Greenbone Security Assistant Daemon)
cd gsad mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release -DSYSCONFDIR=/etc -DLOCALSTATEDIR=/var -DGVMD_RUN_DIR=/run/gvmd -DGSAD_RUN_DIR=/run/gsad -DLOGROTATE_DIR=/etc/logrotate.d make make install cd ../..
# Собираем и устанавливаем пакеты — openvas-smb
cd openvas-smb mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release make make install cd ../..
# Собираем и устанавливаем пакеты — openvas-scanner
cd openvas-scanner mkdir build && cd build cmake .. -DCMAKE_INSTALL_PREFIX=/usr/local -DCMAKE_BUILD_TYPE=Release -DINSTALL_OLD_SYNC_SCRIPT=OFF -DSYSCONFDIR=/etc -DLOCALSTATEDIR=/var -DOPENVAS_FEED_LOCK_PATH=/var/lib/openvas/feed-update.lock -DOPENVAS_RUN_DIR=/run/ospd make make install cd ../..
# Устанавливаем — ospd-openvas
cd ospd-openvas python3 -m pip install . --prefix=/usr/local --no-warn-script-location cd ..
# Устанавливаем — notus-scanner
cd notus-scanner python3 -m pip install . --prefix=/usr/local --no-warn-script-location cd ..
# Устанавливаем — greenbone-feed-sync
python3 -m pip install --prefix=/usr/local --no-warn-script-location greenbone-feed-sync
# Устанавливаем — gvm-tools
python3 -m pip install --prefix=/usr/local --no-warn-script-location gvm-tools
# Установка сервера Redis.
apt-get install redis-server -y
# Добавление конфигурации для запуска сервера Redis для сканера.
cp /opt/gvm-source/openvas-scanner/config/redis-openvas.conf /etc/redis/ chown redis:redis /etc/redis/redis-openvas.conf echo "db_address = /run/redis-openvas/redis.sock" | tee -a /etc/openvas/openvas.conf
[stextbox id=’info’]ИНФОРМАЦИЯ. Если планируется сканировать большой диапазон адресов\сетей, то я рекомендую в /etc/redis/redis-openvas.conf
увеличить значение databases
как минимум до 4096
, в противном случае как было у меня, при запуске сканирования нескольких подсетей /24
маской, в какой то момент задание падали в статус Interrupted, а в логах можно было наблюдать ошибки:
libgvm util:CRITICAL:2023-06-01 07h14.08 utc:2728941: get_redis_ctx: redis connection error to /run/redis-openvas/redis.sock: No such file or directory
[/stextbox]
libgvm util:CRITICAL:2023-06-01 07h14.08 utc:2748188: No redis DB available
libgvm util:CRITICAL:2023-06-01 07h14.08 utc:2746600: get_redis_ctx: redis connection error to /run/redis-openvas/redis.sock: Connection refused
# Запускаем службу Redis и добавляем ее в автозагрузку.
systemctl start redis-server@openvas.service systemctl enable redis-server@openvas.service
# Добавление пользователя gvm в группу redis.
usermod -aG redis gvm
# Настраиваем Mosquitto MQTT Broker.
systemctl start mosquitto.service systemctl enable mosquitto.service echo "mqtt_server_uri = localhost:1883" | tee -a /etc/openvas/openvas.conf
# Настройка прав доступа на каталоги относящиеся к системе GVM.
mkdir -p /var/lib/notus mkdir -p /run/notus-scanner mkdir -p /run/gvmd chown -R gvm:gvm /var/lib/gvm chown -R gvm:gvm /var/lib/openvas chown -R gvm:gvm /var/lib/notus chown -R gvm:gvm /var/log/gvm chown -R gvm:gvm /run/gvmd chown -R gvm:gvm /run/notus-scanner chmod -R g+srw /var/lib/gvm chmod -R g+srw /var/lib/openvas chmod -R g+srw /var/log/gvm chown gvm:gvm /usr/local/sbin/gvmd chmod 6750 /usr/local/sbin/gvmd chown gvm:gvm /usr/local/bin/greenbone-nvt-sync chmod 740 /usr/local/sbin/greenbone-feed-sync chown gvm:gvm /usr/local/sbin/greenbone-*-sync chmod 740 /usr/local/sbin/greenbone-*-sync echo "gvm ALL = NOPASSWD: $(which openvas)" >> /etc/sudoers.d/gvm
# Импорт ключа подписи Greenbone и установка уровня доверия для него.
curl -f -L https://www.greenbone.net/GBCommunitySigningKey.asc -o /tmp/GBCommunitySigningKey.asc export GNUPGHOME=/tmp/openvas-gnupg mkdir -p $GNUPGHOME gpg --import /tmp/GBCommunitySigningKey.asc echo "8AE4BE429B60A59B311C2E739823FAA60ED1E580:6:" | gpg --import-ownertrust export OPENVAS_GNUPG_HOME=/etc/openvas/gnupg sudo mkdir -p $OPENVAS_GNUPG_HOME sudo cp -r /tmp/openvas-gnupg/* $OPENVAS_GNUPG_HOME/ sudo chown -R gvm:gvm $OPENVAS_GNUPG_HOME
[stextbox id=’info’]ИНФОРМАЦИЯ. Для проверки целостности загруженных исходных файлов используется GnuPG используется открытый ключ подписи сообщества Greenbone импортированный в связку ключей текущего пользователя.[/stextbox]
# Настройка PostgreSQL. Создание пользователя и базы данных, настройка разрешений и расширений базы данных.
sudo -Hiu postgres createuser gvm sudo -Hiu postgres createdb -O gvm gvmd sudo -Hiu postgres psql -c 'create role dba with superuser noinherit;' gvmd sudo -Hiu postgres psql -c 'grant dba to gvm;' gvmd sudo -Hiu postgres psql -c 'create extension "uuid-ossp";' gvmd sudo -Hiu postgres psql -c 'create extension "pgcrypto";' gvmd
# Создаем учетную запись администратора и устанавливаем его как владельца импорта фида.
# Create GVM admin sudo gvmd --create-user=admin --password=admin ## Retrieve our administrators uuid sudo gvmd --get-users --verbose admin 0279ba6c-391a-472f-8cbd-1f6eb808823b ## Set the value using the administrators uuid sudo gvmd --modify-setting 78eceaec-3385-11ea-b237-28d24461215b --value UUID_HERE # Generate GVM certificates for HTTPS sudo -u gvm gvm-manage-certs -a
# Создаем сервис запуска для — OpenVAS.
cat << EOF > /etc/systemd/system/ospd-openvas.service [Unit] Description=OSPd Wrapper for the OpenVAS Scanner (ospd-openvas) Documentation=man:ospd-openvas(8) man:openvas(8) After=network.target networking.service redis-server@openvas.service mosquitto.service Wants=redis-server@openvas.service mosquitto.service notus-scanner.service ConditionKernelCommandLine=!recovery [Service] Type=exec User=gvm Group=gvm RuntimeDirectory=ospd RuntimeDirectoryMode=2775 PIDFile=/run/ospd/ospd-openvas.pid ExecStart=/usr/local/bin/ospd-openvas --foreground --unix-socket /run/ospd/ospd-openvas.sock --pid-file /run/ospd/ospd-openvas.pid --log-file /var/log/gvm/ospd-openvas.log --lock-file-dir /var/lib/openvas --socket-mode 0o770 --mqtt-broker-address localhost --mqtt-broker-port 1883 --notus-feed-dir /var/lib/notus/advisories SuccessExitStatus=SIGKILL Restart=always RestartSec=60 [Install] WantedBy=multi-user.target EOF
# Создаем сервис запуска для — notus-scanner.
cat << EOF > /etc/systemd/system/notus-scanner.service [Unit] Description=Notus Scanner Documentation=https://github.com/greenbone/notus-scanner After=mosquitto.service Wants=mosquitto.service ConditionKernelCommandLine=!recovery [Service] Type=exec User=gvm RuntimeDirectory=notus-scanner RuntimeDirectoryMode=2775 PIDFile=/run/notus-scanner/notus-scanner.pid ExecStart=/usr/local/bin/notus-scanner --foreground --products-directory /var/lib/notus/products --log-file /var/log/gvm/notus-scanner.log SuccessExitStatus=SIGKILL Restart=always RestartSec=60 [Install] WantedBy=multi-user.target EOF
# Создаем сервис запуска для — GVM.
cat << EOF > /lib/systemd/system/gvmd.service [Unit] Description=Greenbone Vulnerability Manager daemon (gvmd) After=network.target networking.service postgresql.service ospd-openvas.service Wants=postgresql.service ospd-openvas.service Documentation=man:gvmd(8) ConditionKernelCommandLine=!recovery [Service] Type=forking User=gvm Group=gvm PIDFile=/run/gvmd/gvmd.pid RuntimeDirectory=gvmd RuntimeDirectoryMode=2775 ExecStart=/usr/local/sbin/gvmd --osp-vt-update=/run/ospd/ospd-openvas.sock --listen-group=gvm Restart=always TimeoutStopSec=10 [Install] WantedBy=multi-user.target EOF
# Создаем сервис запуска для — GSA.
cat << EOF > /etc/systemd/system/gsad.service [Unit] Description=Greenbone Security Assistant daemon (gsad) Documentation=man:gsad(8) https://www.greenbone.net After=network.target gvmd.service Wants=gvmd.service [Service] Type=forking User=gvm Group=gvm RuntimeDirectory=gsad RuntimeDirectoryMode=2775 PIDFile=/run/gsad/gsad.pid ExecStart=/usr/local/sbin/gsad --listen=0.0.0.0 --port=9392 --http-only Restart=always TimeoutStopSec=10 [Install] WantedBy=multi-user.target Alias=greenbone-security-assistant.service EOF
# Включаем в автозапуск созданные службы.
systemctl daemon-reload systemctl enable notus-scanner systemctl enable ospd-openvas systemctl enable gvmd systemctl enable gsad
# Выполняем первичную синхронизацию баз данных.
sudo -u gvm greenbone-feed-sync
# Запускаем службы.
systemctl start notus-scanner systemctl start ospd-openvas systemctl start gvmd systemctl start gsad systemctl status notus-scanner systemctl status ospd-openvas systemctl status gvmd systemctl status gsad
# Устанавливаем задания cron (в моем случае задания добавлены для root пользователя) для выполнения синхронизации один раз в день.
# Update Feed data from Greenbone Community Feed 0 23 * * * sudo -u gvm greenbone-feed-sync 2>&1
# Тюнинг системы для повышение производительности.
echo 'net.core.somaxconn = 1024' >> /etc/sysctl.conf echo 'vm.overcommit_memory = 1' >> /etc/sysctl.conf sysctl -p cat > /etc/systemd/system/disable_thp.service << 'EOL' [Unit] Description=Disable Kernel Support for Transparent Huge Pages (THP) [Service] Type=simple ExecStart=/bin/sh -c "echo 'never' > /sys/kernel/mm/transparent_hugepage/enabled && echo 'never' > /sys/kernel/mm/transparent_hugepage/defrag" [Install] WantedBy=multi-user.target EOL systemctl daemon-reload systemctl enable --now disable_thp
Обсуждение
Нет комментариев.